* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Conjugate Codes - at www.arxiv.org.
Density matrix wikipedia , lookup
Copenhagen interpretation wikipedia , lookup
Coherent states wikipedia , lookup
Quantum field theory wikipedia , lookup
Probability amplitude wikipedia , lookup
Quantum fiction wikipedia , lookup
Topological quantum field theory wikipedia , lookup
Scalar field theory wikipedia , lookup
Bell's theorem wikipedia , lookup
Many-worlds interpretation wikipedia , lookup
Quantum electrodynamics wikipedia , lookup
Quantum entanglement wikipedia , lookup
Quantum computing wikipedia , lookup
Symmetry in quantum mechanics wikipedia , lookup
Orchestrated objective reduction wikipedia , lookup
Quantum group wikipedia , lookup
Quantum machine learning wikipedia , lookup
Interpretations of quantum mechanics wikipedia , lookup
EPR paradox wikipedia , lookup
Quantum teleportation wikipedia , lookup
History of quantum field theory wikipedia , lookup
Quantum state wikipedia , lookup
Canonical quantization wikipedia , lookup
1 Conjugate Codes and Applications to Cryptography Mitsuru Hamada arXiv:quant-ph/0610193v1 23 Oct 2006 Research Center for Quantum Information Science Tamagawa University Research Institute 6-1-1 Tamagawa-gakuen, Machida, Tokyo 194-8610, Japan PRESTO, Japan Science and Technology Agency 4-1-8 Honcho, Kawaguchi, Saitama, Japan Abstract— A conjugate code pair is defined as a pair of linear codes such that one contains the dual of the other. The conjugate code pair represents the essential structure of the corresponding Calderbank-Shor-Steane (CSS) quantum code. It is argued that conjugate code pairs are applicable to quantum cryptography in order to motivate studies on conjugate code pairs. Index Terms— conjugate codes, quotient codes, cryptographic codes. I. I NTRODUCTION Since the invention of the first algebraic quantum errorcorrecting code (QECC) by Shor [1] in 1995, the theory of QECCs has been developed rapidly. The first code was soon extended to a class of algebraic QECCs called CalderbankShor-Steane (CSS) codes [2] and then to a more general class of QECCs, which are called symplectic codes or stabilizer codes [3], [4], [5]. In this paper, we focus on CSS codes. It is well-known that this class of symplectic codes are useful for quantum key distribution (QKD), at least, in theory. In particular, Shor and Preskill [6] argued that the security of the famous Bennett-Brassard 1984 (BB84) QKD protocol could be proved by evaluating the fidelity of quantum error-correcting codes underlying the protocol. The term ‘conjugate codes’ appearing in the title is almost a synonym for CSS codes if one forgets about quantum mechanical operations for encoding or decoding and pays attention only to what can be done in the coding theorists’ universe of finite fields. This term was coined here so that this issue would be more accessible to those unfamiliar with quantum information theory. Recently, the present author [7] proved the existence of CSS codes that outperforms those proved to exist in the literature [2], and quantified the security and reliability of CSScode-based QKD schemes rigorously assuming ideal discrete quantum systems. Although we have treated QKD in [7], the CSS-code-based QKD scheme can be viewed as merely one application of conjugate codes (CSS codes). For example, the arguments in [7] also imply that conjugate codes can be used as cryptographic codes that directly encrypt secret data as will be elucidated in the sequel. Here, we remark that QKD means techniques for sharing a secret key between remote parties, and the shared key itself is not the secret message that the sender wishes to send. A typical scenario is that after sharing the key, the sender encrypts a secret data using the key and sends it to the receiver and the receiver decrypts the data using the shared key. The direct encryption is mightier, and can be used as QKD if one wishes. Turning back to the original motivation of (algebraic) QECCs, these codes deemed indispensable for quantum computing since quantum states are more vulnerable to errors or quantum noise, most notably to decoherence. Among QECCs, CSS codes are said to be suited for fault-tolerant quantum computing (e.g., [8] and references therein). The aim of this work is to enhance motivation to study this class of codes. In particular, applications to cryptography, which allow direct encryption, are emphasized. We remark that a large portion of this paper is nearly a paraphrase of a part of [7] though our description is slightly more general in that we explicitly treat a general code pair (C1 , C2 ) satisfying a certain condition, which will be given shortly, whereas [7] describes the result for the case where C1 = C2 . This paper is organized as follows. In Section II, conjugate codes are introduced, and in Section III, CSS quantum codes are explained. In Section IV, it is argued that conjugate code pairs are applicable to quantum cryptography. General symplectic codes, and quotient codes, are explained in Sections V and VI, respectively. Sections VII and VIII, contain remarks and a summary, respectively. II. C ONJUGATE C ODES We write B ≤ C if B is a subgroup of an additive group C. We use a finite field Fq of q elements, and the dot product defined by (x1 , . . . , xn ) · (y1 , . . . , yn ) = n X xi yi (1) i=1 for vectors in Fnq . We let C ⊥ denote {y ∈ Fnq | ∀x ∈ C, x·y = 0} for a subset C of Fnq . We mean by an [[n, k]] conjugate (complementary) code pair or CSS code pair over Fq a pair (C1 , C2 ) consisting of an 2 [n, k1 ] linear code C1 and an [n, k2 ] linear code C2 satisfying1 and NJ = {Nx | x ∈ J}, C2⊥ ≤ C1 , (2) which condition is equivalent to C1⊥ ≤ C2 , and k = k1 + k2 − n. (3) If C1 and C2 satisfy (2), the quotient codes C1 /C2⊥ and C2 /C1⊥ are said to be conjugate. The notion of quotient codes was introduced in [9], and will be explained in Section VI. The goal, in a long span, is to find a conjugate code pair (C1 , C2 ) such that both C1 /C2⊥ and C2 /C1⊥ have good performance. If the linear codes C1 and C2 both have good performance, so do C1 /C2⊥ and C2 /C1⊥ . Hence, a conjugate code pair (C1 , C2 ) with good (not necessarily a technical term) C1 and C2 is also desirable. An obvious but important consequence of (5) is that X u Z w ′ ′ and X u Z w commute if and only if u · w′ − w · u′ = 0. The map ([u, w], [u′ , w′ ]) 7→ u · w′ − w · u′ (6) is a symplectic bilinear form, which we refer to as standard. A CSS code is specified by two classical linear codes (i.e., subspaces of Fnq ) C1 and C2 with (2).2 Coset structures are exploited in construction of CSS codes. We fix some set of coset representatives of the factor group Fnq /C1 , for which the letter x is always used to refer to a coset representative in this section, that of C1 /C2⊥ , for which v is used, and that of Fnq /C2 , for which z is used. These may be written as III. C ALDERBANK -S HOR -S TEANE C ODES The complex linear space of operators on a Hilbert space H is denoted by L(H). A quantum code usually means a pair (Q, R) consisting of a subspace Q of H⊗n and a trace-preserving completely positive (TPCP) linear map R on L(H⊗n ), called a recovery operator. The subspace Q alone is also called a code. Symplectic codes have more structure: They are simultaneous eigenspaces of commuting operators on H⊗n . Once a set of commuting operators is specified, we have a collection of eigenspaces of them. A symplectic code refers to either such an eigenspace or a collection of eigenspaces, each possibly accompanied by a suitable recovery operator. In this section and the next, we assume H is a Hilbert space of dimension q, and q is a prime (but see Section VII-E). Then, q−1 Fq = Z/qZ. We fix an orthonormal basis (|ii)i=0 of H. In constructing symplectic codes, the following basis of L(H⊗n ) is used. Let unitary operators X, Z on H be defined by X|ji = |j − 1i, Z|ji = ω j |ji, j ∈ Fq (4) with ω being a primitive q-th root of unity (e.g., ei2π/q ). For u = (u1 , . . . , un ) ∈ Fnq , let X u and Z u denote X u1 ⊗ · · · ⊗ X un and Z u1 ⊗ · · ·⊗ Z un , respectively. The operators X u Z w , u, w ∈ Fnq , form a basis of L(H⊗n ), which we call the Weyl (unitary) basis [15]. We have the commutation relation ′ ′ ′ ′ ′ ′ (X u Z w )(X u Z w ) = ω u·w −w·u (X u Z w )(X u Z w ), (5) for u, w, u′ , w′ ∈ Fnq , which follows from XZ = ωZX. It is sometimes useful to rearrange the components of (u, w) appearing in the operators X u Z w in the Weyl basis as follows: For u = (u1 , . . . , un ) and w = (w1 , . . . , wn ) ∈ Fnq , we denote by [u, w] the rearranged one (u1 , w1 ), . . . , (un , wn ) ∈ X n , where X = Fq × Fq . We occasionally use another symbol N for the Weyl basis: N[u,w] = X u Z w 1 When the number of elements of a code C ⊆ Fn is q k , it is called an [n, k] q code. Readers unfamiliar with coding theory are referred to [9, Section 2] or standard textbooks such as [10], [11], [12], [13], [14]. J ⊆ X n. x ∈ z ∈ Fnq /C1 , Fnq /C2 , ∈ C1 /C2⊥ v where ∈ is in abuse as usual. Put k1 = dim C1 , k2 = dim C2 , and assume g1 , . . . , gn−k2 form a basis of C2⊥ , and h1 , . . . , hn−k1 form a basis of C1⊥ . We assume k1 is larger than n − k2 . The operators Z h1 , . . . , Z hn−k1 , X g1 , . . . , X gn−k2 , (7) which generate the so-called stabilizer of the CSS code, commute with each other, so that we have simultaneous eigenspaces of these operators. Specifically, put X 1 ω z·w |x + v + wi (8) |φxzv i = p ⊥ |C2 | w∈C ⊥ 2 for coset representatives x, z and v. Then, we have Z hj |φxzv i = ω x·hj |φxzv i, j = 1, . . . , n − k1 X gj |φxzv i = ω z·gj |φxzv i, j = 1, . . . , n − k2 . and It can be checked that |φxzv i, x ∈ Fnq /C1 , z ∈ Fnq /C2 , v ∈ C1 /C2⊥ , form an orthonormal basis of H⊗n . In words, L we have q k1 +k2 −n -dimensional subspaces Qxz such that x,z Qxz = H⊗n and Qxz is spanned by orthonormal vectors |φxzv i, v ∈ C1 /C2⊥ , for each pair (x, z) ∈ (Fnq /C1 ) × (Fnq /C2 ). The subspaces Qxz , (x, z) ∈ (Fnq /C1 ) × (Fnq /C2 ), are the simultaneous eigenspaces of the operators in (7), and form a CSS code. In [7], we have treated the case when C1 = C2 = C ⊥ with a code C. In this case, C is necessarily self-orthogonal3 by (2). We will consistently use k to denote the logarithm of the dimension of Qxz , viz., k = k1 + k2 − n = logq dimC Qxz . (9) 2 Our code pair (C , C ) often appears as (C , C ⊥ ) in the literature [2], 1 2 1 2 [6], [9]. Our choice would be more acceptable to coding theorists because good (not necessarily a technical term) codes C1 and C2 result in a good CSS code while the performance of C2⊥ seemingly has no direct meaning. 3 A subspace C with C ≤ C ⊥ , which is equivalent to ∀x, y ∈ C, x·y = 0, is said to be self-orthogonal (with respect to the dot product). 3 Decoding or recovery operation for a CSS quantum code can be done as follows. If we choose a set Γi of coset representatives of Fnq /Ci (i = 1, 2), we can construct a recovery operator R for Qxz so that the code (Qxz , R) is NJ(Γ1 ,Γ2 ) -correcting in the sense of [16], where J(·, ·) is defined by J(Γ1 , Γ2 ) = {[x, z] | x ∈ Γ1 and z ∈ Γ2 }. In fact, Qxz is N Γ′1 J(Γ′1 ,Γ′2 ) = Γ1 + and Γ′2 = Γ2 + C1⊥ . (11) This directly follows from the general theory of symplectic codes [4], [5], [17, Proposition A.2] on noticing that the operators in the Weyl basis that commute with all of those in (7) are X u Z w , u ∈ C1 , w ∈ C2 (see also Sections V and VI). IV. CSS C ODES AS C RYPTOGRAPHIC C ODES Schumacher [18, Section V-C], using the Holevo bound, argued that if a good quantum channel code is used as a cryptographic code, the amount of information leakage to the possible eavesdropper is small. In this section, we will apply Schumacher’s argument to CSS codes. A. Quantum Codes and Quantum Cryptography Suppose we send a k-digit secret information V + C2⊥ ∈ C1 /C2⊥ physically encoded into the state |φXZV i ∈ QXZ , where we regard X, Z as random variables, and assume (X, Z) are randomly chosen according to some distribution PXZ .4 Once the eavesdropper, Eve, has done an eavesdropping, namely, a series of measurements, Eve’s measurement results form another random variable, say, E. We use the standard symbol I to denote the mutual information (in information theory). According to [18, Section V-C], I(V; E|X = x, Z = z) ≤ Sxz (12) where Sxz is the entropy exchange after the system suffers a channel noise N , Eve’s attack E, another channel noise N ′ , and the recovery operation R = Rxz for Qxz at the receiver’s end. Let us denote by Fxz the fidelity of the code (Qxz , R) employing the entanglement fidelity Fe [18]. Specifically, Fxz = Fe πQxz , RN ′ EN where πQ denotes the normalized projection operator onto Q, and BA(ρ) = B A(ρ) for two CP maps A and B, etc. Then, by the quantum Fano inequality [18, Section VI], we have Sxz ≤ h(Fxz ) + (1 − Fxz )2nR (13) where h is the binary entropy function and R = n−1 logq dim Qxz . Combining (12) and (13) and taking the averages of the end sides, we obtain I(V; E|XZ) ≤ Eh(FXZ ) + (1 − EFXZ )2nR ≤ h(EFXZ ) + (1 − EFXZ )2nR, 4 The I(V; E|XZ) ≤ 2q −nE+o(n) [n(E + R) − o(n)], (10) -correcting with C2⊥ where E denotes the expectation operator with respect to (X, Z). Hence, if 1 − EFXZ goes to zero faster than 1/n, then I(V; E|XZ) → 0 as n → ∞. We have seen in [7] that the convergence is, in fact, exponential for some good CSS codes, viz., 1 − EFXZ ≤ q −nE+o(n) with some E > 0. This, together with (14), implies (14) probability distribution of a random variable Y is denoted by PY . (15) where we used the upper bound −2t log t for h(t), 0 ≤ t ≤ 1/2, which can easily be shown by differentiating t log t (or by Lemma 2.7 of [19]). Thus, we could safely send a secret data v+C2⊥ provided we could send the entangled state |φxzv i in (8) and the noise level of the quantum channel including Eve’s action were tolerable by the quantum code. In the above scheme, the legitimate sender, Alice, and receiver, Bob, should share the random variables XZ, say, by sending them through a public channel that is free from tampering of malicious parties (but see Section IV-C). In particular, we assume Eve can possibly observe XZ without tampering them as in the literature on quantum key distribution. B. Reduction to Cryptographic Code In [7], borrowing the idea of [6], we have reduced the above cryptographic scheme to the BB84 protocol. We now explain that this reduction argument also shows that conjugate code pairs (CSS codes) can be used as cryptographic codes. The above scheme is simply summarized as ‘choose XZ = xz randomly, and encode the secret data into the basis (|φxzv i)v of the quantum code QXZ .’ We would encounter several difficulties and drawbacks in implementing the above scheme in this form. Among others, the state |φxzv i defined in (8) is entangled in general, and therefore the above scheme is hard to implement with the current technology. To overcome this problem, we use Shor and Preskill’s observation that the probabilistic mixture of |φxzv i with x, v fixed and z chosen uniformly randomly over Fnq /C2⊥ is given as 1 X |φxzv ihφxzv | |C2⊥ | z 1 X |w + v + xihw + v + x|, = ⊥ |C2 | ⊥ (16) w∈C2 which can be prepared as the mixture of states |w + v + xi with no entanglement.5 Then, clearly, if Alice sends the secret data v encoded into the state in (16) with x chosen randomly according to PX (the marginal distribution of PXZ ), the inequalities deduced in the previous subsection, in particular, the bound on the information leakage to Eve in (15), remain true. Thus, we can send secret data safely by the following scheme. Conjugate-Code-Based Cryptographic Code. Alice sends a k-digit secret information V + C2⊥ ∈ C1 /C2⊥ physically encoded into the state in (16) where X = x is chosen randomly according to some distribution PX . 5A proof of (16) is given in Section VII-F. 4 In this case, Alice and Bob should share X = x. We remark the random variable Z, the states |φxzv i and the recovery operator Rxz are fictitious in that they do not appear in the above reduced cryptographic code, but they proved useful for demonstrating the security. These need only exist in theory, and need not be implemented in practice. Up to now, we have fixed our attention on proving the security. However, we should ensure reliable transmission. Namely, the probability of disagreement between Alice’s data V and Bob’s data V′ , which should be the result of decoding the cryptographic code, must be reasonably small. For the conjugate-code-based (CSS-code-based) cryptographic code, we employ the following decoding principle. The receiver performs a decoding algorithm for the coset code x + C1 that correct errors in Γ1 , a set of coset representatives of Fnq /C1 . The algorithm is the obvious modification of a decoding algorithm for the linear code C1 . In the next subsection, we will see that a CSS quantum code with high fidelity results in a secure and reliable cryptographic code, where a reliable cryptographic code means that with small decoding error probability. Note that if PX (x) = 1 for some x, we do not have to send X (see the next subsection). C. Evaluating Fidelity Note that the underlying CSS codes (before the reduction) has the fidelity EFXZ which is bounded by 1 − EFXZ ≤ PA (J(Γ′1 , Γ′2 )c ), Γ′1 Γ′2 (17) are as in (10) and (11). The right-hand side and where J, / Γ′2 }, and hence of (17) can be written as Pr{ξ ∈ / Γ′1 or ζ ∈ ′ we have 1 − EFXZ ≤ Pr{ξ ∈ / Γ1 } + Pr{ζ ∈ / Γ′2 }, where ξ and ζ are random variables such that the distribution of [ξ, ζ] is given by PA . The equality holds in (17) if |Γ1 | = q n−k1 and |Γ2 | = q n−k2 (namely, if they are complete systems of coset representatives). This follows from that the code is NJ(Γ′1 ,Γ′2 ) correcting and that the fidelity of an NJ -correcting symplectic code is 1 − PA (J) for a channel A : L(H⊗n ) → L(H⊗n ), where the probability distribution PA is associated with A in the manner described in [7], [17] (see also Section V). In the present context, A = N ′ EN . An important fact is that the right-hand side of (17) is smaller than Pr{ξ ∈ / Γ′1 }, which is the decoding error probability when the quotient code C1 /C2⊥ is used as a conjugate-code-based cryptographic code. Hence, by bounding the fidelity of the underlying CSS quantum codes, we automatically obtain bounds on the security and reliability simultaneously. There are subtleties on (17). This fidelity bound is true for a general TPCP map A : L(H⊗n ) → L(H⊗n ) if PXZ is uniform. This is because (17) is based on Corollary 4 to Theorem 3 in [17] or the alternative reasoning in [7, Appendix A] and any of these assumes the distribution of the syndrome (X, Z) is uniform. A desirable situation in the reduced cryptographic code is that the entropy of PX is small. In particular, if PX (x) = 1 for some x, or (17) is true for such a random variable X for other reasons, we do not need the public channel to send X. This is possible if the map A = N ′ EN is known to the legitimate participants of the protocol as explained below. The history of information theory suggests it would be reasonable to treat first the tractable case where E is known to the legitimate participants (and A = E ⊗n ) to pursue the fundamentals of the issue of transmitting private data (cf. [20], [21]). Then, we can interpret the above argument as indicating the existence of a good cryptographic code (a kind of random coding proof). Namely, we can single out the best index x b such that EZ Fxb Z ≥ EXZ FXZ , where EY denotes the expectation operator with respect to a random variable Y. Replacing the original random variable X with that whose probability concentrates on x b, we have a protocol that does not require transmission of information X through an auxiliary public channel. Still, it would be desirable to remove the assumption that the legitimate participants know A. That is, universal codes that do not depend on the channel characteristics are desirable. Regarding this issue, we make a small step forward. It seems difficult to construct universal cryptographic codes without transmission of auxiliary information for the completely general class of channels. However, this is possible with our conjugate-code-based cryptographic code if the class of A is restricted to those such that EZ FxZ does not depend on x. P This situation occurs if, e.g., A has the form A : ρ 7→ P (u, w)X u Z w ρ(X u Z w )† with a probability u,w∈Fn q distribution P on (Fnq )2 . This condition is equivalent to that A is ‘Weyl-covariant’: Nx A = ANx , where Nx : ρ 7→ Nx ρNx† , x ∈ X n (see, e.g., [17, Section 2.5]). More generally, the situation occurs if A has the property A(X u ρX −u ) = X u A(ρ)X −u for any ρ ∈ L(H⊗n ) and u ∈ Fnq . This condition is equivalent to hl − u|A(|i − uihj − u|)|m − ui = hl|A(|iihj|)|mi for any i, j, l, m, u ∈ Fnq , which reads ‘the channel looks the same if we translate the basis (|ii)i to (|i − ui)i .’ V. G ENERAL S YMPLECTIC C ODES In this and next sections, the order q of the finite field Fq is not necessarily a prime. In this section, we digress to explain how general symplectic codes are defined and how CSS codes are obtained from the general definition. The 2n-dimensional linear space F2n q over Fq equipped with the standard symplectic form fsp ((x1 , z1 , . . . , xn , zn ), (x′1 , z1′ , . . . , x′n , zn′ )) X xi zi′ − zi x′i = i which has already appeared in (6), plays a crucial role in algebraic QECCs. We can define the dual L⊥sp of L by | ∀x ∈ L, fsp (x, y) = 0}. Let us call L⊥sp = {y ∈ F2n q a subspace L with L⊥sp ≤ L an fsp -dual-containing code or a dual-containing code (with respect to the symplectic form fsp ). Then, we have a quantum code whose performance is closely related to that of the classical code L. The code is called a symplectic (quantum) code with parity check set (y1 , . . . , yn−k ), where y1 , . . . , yn−k ∈ F2n q form a basis of 5 L⊥sp , or a symplectic code with stabilizer NL⊥sp . Here, N : u 7→ Nu is Weyl’s projective representation [15] of F2n q (the same as in Section III). Suppose An,k is the ensemble of [2n, n + k] fsp -dualcontaining codes over Fq . We can regard them [n, (n + k)/2] additive codes over X = F2q if we pair up the coordinates of any word (x1 , z1 , . . . , xn , zn ) to have ((x1 , z1 ), . . . , (xn , zn )) ∈ X n . We can associate with an [n, (n+k)/2] fsp -dual-containing code a set of dk -dimensional subspaces of H⊗n , which can be used for quantum error correction [3], [4], [5]. Namely, we have the next lemma, which is a slight reformulation of the original one [3], [4]. Lemma 1: Suppose a subspace L ∈ An,k and a set J of representatives of cosets of L in F2n are given. Then, we q have a q k -dimensional subspace of H⊗n that works as an NJecorrecting code with a suitable recovery operator, where Je = J + L⊥sp = {x + y | x ∈ J, y ∈ L⊥sp }. For a proof, see [4] or, e.g., [22], [17]. Roughly speaking, given a set of operators F , a quantum code being F -correcting or a code corrects ‘errors’ in F means that it recovers any state in the code subspace perfectly after the state suffers ‘errors’ belonging to F [16]. The precise definition of F -correcting is not requisite for evaluating the performance of quantum codes. Indeed, the next fact is enough to treat symplectic codes [17]: If we properly define the performance measure of symplectic codes, it equals the probability PA (Je). The performance measure is the entanglement fidelity averaged over the whole syndromes, which was already used in Section IV. A CSS code is a symplectic code with stabilizer NL⊥sp such that L⊥sp has the form L⊥sp = {[u, w] | u ∈ C2⊥ , w ∈ C1⊥ } with some C1 and C2 . In this case, L = {[u, w] | u ∈ C1 , w ∈ C2 }, so that L⊥sp ≤ L can be written as C2⊥ ≤ C1 , the requirement we have posed. as above with C1 , C2 , the quotient code L/L⊥sp has the form C1 /C2⊥ ⊕ C2 /C1⊥ . Thus, the CSS code Qxz in Section III is NJ(Γ′1 ,Γ′2 ) -correcting with Γ′1 = Γ1 + C2⊥ and Γ′2 = Γ2 + C1⊥ . In particular, the CSS code has large fidelity if both C1 /C2⊥ and C2 /C1⊥ have small decoding error probabilities. This is the ground where the goal described in Section II stems from. It might be said that the structure of quotient codes were inherent in quantum error-correcting codes and CSS-codebased cryptographic codes. VII. R EMARKS A. Model of Eavesdropping A measurement is modeled as a completely positive (CP) instrument whose measurement result belongs to a finite or countable set (e.g., [23], [24], [25], [26], [27]). The specific model employed in this work is the same as in [7] and as follows. We assume a TPCP map A : L(H⊗n ) → L(H⊗n ) represents the whole action of Eve (plus the other environment). This means that thereP exists a decomposition (CP instrument) {Ai }i such that A = i Ai , where Ai are trace-nonincreasing CP maps, and when the initial state of the system of the whole sent digits is ρ, Eve obtains data E = i with probability Tr Ai (ρ) leaving the system in state Ai (ρ)/Tr Ai (ρ). Here, the decomposition may depend on the other random variables available to Eve. A minor comment follows. Let the random variable E′ denotes Eve’s measurement result on the whole sent digits. Then, the random variable E above mentioned has more information than E′ since E includes the data relevant to the other environment. However, there is no harm in considering E as Eve’s data for the purpose of proving the security. B. Related Information Theoretic Problems VI. Q UOTIENT C ODES Now, we turn to the realm of finite fields or algebraic coding theory. In [9], the notion of quotient codes was introduced to explain QECCs. The aim of [9] was to exhibit the essence, at least, for algebraic coding theorists, of algebraic quantum coding. A quotient code of length n over Fq is an additive quotient group C/B with B ≤ C ≤ Fnq . In the scenario of quotient codes in [9], the sender encodes a message into a member c of C/B, chooses a word in c according to some probability distribution on c, and then sends it through the channel. Clearly, if C is a J-correcting in the ordinary sense, C/B is (J + B)-correcting (since adding a word in B to a code-coset does not change it). A conjugate-code-based cryptographic code effectively means a quotient code in this scenario. A conjugate-code-based cryptographic code may be said to be an error-correcting code that can protect information from eavesdroppers, and hence may be called a cryptographic error-correcting code. Lemma 1 may read that if L is a dual-containing code with respect to fsp , and the quotient code L/L⊥sp is Jecorrecting, then the corresponding symplectic quantum code is NJe-correcting. Turning our attention to the CSS code specified In [20], [21], information theoretic problems related to ours are treated. These and the present work or [7] share the goal of secure transmission of private data, but their specific purpose in [20], [21] is to establish coding theorems on the best asymptotically achievable rates. Our codes are linear codes while theirs lack such a helpful structure and are hard to conceive aimed at practical use. The quantum theoretical models treated in the literature above mentioned can be regarded as generalizations of that of [28]. What are called conjugate-code-based cryptographic codes in the present work essentially fall in the class of coding systems in [28]. C. Wiesner’s Conjugate Coding The term ‘conjugate coding’ appeared in the pioneering work on quantum cryptography [29], where the idea of encoding secret information into quantum states, more specifically, into conjugate bases, was proposed. This idea is still alive in CSS-code-based cryptographic codes or QKD schemes. However, this is a problem of modulation in the language of communication engineers. Thus, our meaning of ‘conjugate’ is different from, though related to, that of [29]. 6 D. QKD Protocol ACKNOWLEDGMENT The BB84 QKD protocol as treated in [30], [6] or its variants is, roughly speaking, the CSS-code-based cryptographic code plus a scheme for estimating the noise level, where the noise includes the effect of eavesdropping. Mainly due to the scheme for noise estimation, the protocol needs public communication. We have used the dichotomy of cryptographic codes and estimation schemes in analysis of the QKD protocol [7], and have focused more on cryptographic codes in the present work. E. Non-prime Alphabet Let q = pm with p prime. We have assumed m = 1 in Sections III and IV. When m > 1, a conjugate code pair (C1 , C2 ) over Fq is still useful for quantum coding and cryptography. This is because elements of Fq can be expanded m into P Fp using dual bases in such a way that TrFq /Fp xy = i xi yi , where (x1 , . . . , xm ) is the representation of x with respect to one basis and (y1 , . . . , ym ) is that of y with respect to the dual [31]. Applying these representations to (C1 , C2 ), we obtain a conjugate code pair over Fp . This follows easily from [32, Theorem 1], or [33, Theorem 1]. F. Proof of (16) The left-hand side can be written as X X ′ 1 ω z·(w−w ) |x + v + wihx + v + w′ | ⊥ 2 |C2 | ⊥ z ′ w,w ∈C2 P ′ and we see z ω z·(w−w ) vanishes whenever w 6= w′ .6 Hence, we have (16). G. Other Comments We take this opportunity to make corrections to related works of the present author [7], [34], [9]. (a) Ref. [7]: On e n = Γn + 1n ’ should read ‘Γ e n = Γn + p. 8313, line 5, ‘Γ n n {0 , 1 }’. (b) Ref. [9]: On p. 453, right column, 5th line from the bottom, ‘basis of L’ should read ‘basis of L⊥sp ’. (c) Ref. [9]: On p. 453, right column, 4th line from the bottom, ‘NL ’ should read ‘NL⊥sp ’. (d) Ref. [34]: On p. 6, right column, line 16, the period should be removed, and ‘With’ in the subsequent line should be decapitalized. VIII. S UMMARY AND C ONCLUDING R EMARKS Conjugate codes were introduced without referring to Hilbert spaces so as to be more accessible to algebraic coding theorists. The bridge between the coding theorists’ universe, the vector space over a finite field, and quantum mechanical worlds that are represented by Hilbert spaces is Weyl’s pron n jective representation N of F2n q ≃ X , N : X ∋ x 7→ Nx . Applicability of conjugate codes to cryptography was argued. A class of good conjugate code pairs will be given in future works [33], [35], [36]. 6 This follows by an easy direct calculation, but may be seen as a basic ′ property of characters (e.g., [12]): the map f : z 7→ ω z·(w−w ) is a character, and f (z) 6= 1 for some z if w 6= w ′ . The author wishes to thank O. Hirota, Professor of Tamagawa University, for encouragement. R EFERENCES [1] P. W. Shor, “Scheme for reducing decoherence in quantum computer memory,” Phys. Rev. A, vol. 52, pp. R2493–2496, 1995. [2] A. R. Calderbank and P. W. Shor, “Good quantum error correcting codes exist,” Phys. Rev. A, vol. 54, pp. 1098–1105, 1996. [3] A. R. Calderbank, E. M. Rains, P. W. Shor, and N. J. A. Sloane, “Quantum error correction and orthogonal geometry,” Phys. Rev. Lett., vol. 78, pp. 405–408, Jan. 1997. [4] A. R. Calderbank, E. M. Rains, P. W. Shor, and N. J. A. Sloane, “Quantum error correction via codes over GF(4),” IEEE Trans. Inform. Theory, vol. 44, pp. 1369–1387, July 1998. [5] D. Gottesman, “Class of quantum error-correcting codes saturating the quantum Hamming bound,” Phys. Rev. A, vol. 54, pp. 1862–1868, Sept. 1996. [6] P. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett., vol. 85, pp. 441–444, July 2000. [7] M. Hamada, “Reliability of Calderbank-Shor-Steane codes and security of quantum key distribution,” J. Phys. A: Math. Gen., vol. 37, pp. 8303– 8328, 2004. E-Print, quant-ph/0308029, LANL, 2003. [8] A. M. Steane, “Efficient fault-tolerant quantum computing,” Nature, vol. 399, pp. 124–126, 1999. [9] M. Hamada, “Quotient codes and their reliability,” IPSJ Digital Courier, vol. 1, pp. 450–460, Oct. 2005. Available at http://www.jstage.jst.go.jp/article/ipsjdc/1/0/1 450/ articl Also appeared in IPSJ Journal, vol. 46, pp. 2428–2438, no. 10, Oct., 2005. [10] R. J. McEliece, The Theory of Information and Coding. London: Addison-Wesley, 1977. [11] W. W. Peterson and E. J. Weldon, Jr., Error-Correcting Codes. MA: MIT Press, 2nd ed., 1972. [12] J. H. van Lint, Introduction to Coding Theory. Berlin: Springer-Verlag, 3rd ed., 1999. [13] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. NY: North-Holland, 1977. [14] E. R. Berlekamp, ed., Key Papers in The Development of Coding Theory. NY: IEEE Press, 1974. [15] H. Weyl, Gruppentheorie und Quantenmechanik. Leipzig: Verlag von S. Hirzel in Leipzig, 1928. English translation, The Theory of Groups and Quantum Mechanics, of the second (1931) ed. was reprinted by Dover, 1950. [16] E. Knill and R. Laflamme, “Theory of quantum error-correcting codes,” Phys. Rev. A, vol. 55, pp. 900–911, Feb. 1997. [17] M. Hamada, “Notes on the fidelity of symplectic quantum errorcorrecting codes,” International Journal of Quantum Information, vol. 1, no. 4, pp. 443–463, 2003. [18] B. Schumacher, “Sending entanglement through noisy quantum channels,” Phys. Rev. A, vol. 54, pp. 2614–2628, Oct. 1996. [19] I. Csiszár and J. Körner, Information Theory: Coding Theorems for Discrete Memoryless Systems. NY: Academic, 1981. [20] I. Devetak, “The private classical information capacity and quantum information capacity of a quantum channel,” IEEE Trans. Information Theory, vol. 51, pp. 44–55, Jan. 2005. [21] N. Cai, A. Winter, and R. W. Yeung, “Quantum privacy and quantum wiretap channels,” Problems of Information Transmission, vol. 40, no. 4, pp. 318–336, 2004. [22] A. Ashikhmin and E. Knill, “Nonbinary quantum stabilizer codes,” IEEE Trans. Information Theory, vol. 47, pp. 3065–3072, Nov. 2001. [23] A. S. Holevo, Statistical Structure of Quantum Theory. Berlin: Springer, 2001. [24] K. Kraus, “General state changes in quantum theory,” Annals of Physics, vol. 64, pp. 311–335, 1971. [25] K.-E. Hellwig, “General scheme of measurement processes,” International Journal of Theoretical Physics, vol. 34, pp. 1467–1479, 1995. Reprinted in Quantum Computation and Quantum Information Theory, C. Macchiavello et al. eds., World Scientific, Singapore, 2000. [26] K. Kraus, States, Effects, and Operations. Berlin: Springer, 1983. Lecture Notes in Physics, vol. 190. 7 [27] J. Preskill, Lecture Notes for Physics 229: Quantum Information and Computation. 1998. Available at http://www.theory.caltech.edu/people/ preskill/ph229. [28] A. D. Wyner, “The wire-tap channel,” The Bell System Technical Journal, vol. 54, pp. 1355–1387, Oct. 1975. [29] S. Wiesner, “Conjugate coding,” SIGACT News, vol. 15, no. 1, pp. 78– 88, 1983. [30] D. Mayers, “Unconditional security in quantum cryptography,” J. Assoc. Comp. Mach., vol. 48, pp. 351–406, 2001. [31] R. Lidl and H. Niederreiter, Finite Fields. Cambridge: Cambridge University Press, 2nd ed., 1997. [32] T. Kasami and S. Lin, “The binary weight distribution of the extended (2m , 2m − 4) code of the Reed-Solomon code over GF(2m ) with generator polynomial (x − α)(x − α2 )(x − α3 ),” Linear Algebra Appl., vol. 98, pp. 291–307, 1988. [33] M. Hamada, “Concatenated conjugate codes,” submitted to IEEE Trans. Information Theory, 2006. [34] M. Hamada, “Teleportation and entanglement distillation in the presence of correlation among bipartite mixed states,” Phys. Rev. A, vol. 68, pp. 012301–1–7, 2003. E-Print, quant-ph/0302054, LANL, 2003. [35] M. Hamada, “Minimum distance of concatenated conjugate codes for cryptography and quantum error correction,” to be submitted to IEEE Trans. Information Theory, 2006. [36] M. Hamada, “Conjugate codes for secure and reliable information transmission,” to appear in Proc. Information Theory Workshop 2006, Chengdu, China, 2006.